Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

Auditing Archives: The Case of the Evil Java Script

Virtually all ecommerce sites add or include third party scripts to their website. The problem comes when a web developer includes third party script on pages that accept sensitive information (e.g., payment page, login page).

Auditing Archives: The Case of the Evil Java Script

2.
Business background
Small ecommerce parts
dealer hired third party
analytics expert to track site
statistics.

3.
Business background
Included third party’s JavaScript on all website pages,
including customer checkout page.
Script dynamically loads from third party servers each time
page loads.

4.
What is included JavaScript
(or included code)?
JavaScript is programming script language used when writing
a website that interacts with a user’s browser.
These scripts can be written by company developers or
included from external web sources.

5.
How hackers could get in
Cybercriminals could successfully
hack third party server that hosted
analytic JavaScript.
They could rewrite the script so it
would secretly search for and
access any information contained
on or entered into web pages it
was included on.

6.
How hackers could get in
Malicious JavaScript could copy payment
information each time a customer entered a credit
card on the small parts dealer’s checkout page.

7.
What the business did wrong
Dynamically including third party
JavaScript on a page that
accepts sensitive information
(e.g., login pages, payment
pages) is not a secure practice.

8.
What the business did wrong
Ecommerce merchant should
have requested assurance
from third party of strong
server security and constant
checking of scripts to ensure
they are not modified.

9.
What the business did wrong
Don’t assume the third party
is responsible. Remember,
anything written or included
on a merchant’s ecommerce
website is their own
responsibility.